You have likely been hearing a lot about WireGuard lately. Some have speculated that this signals the end of OpenVPN. But that's oversimplifying things a bit. In some cases, the 20-year-old VPN protocol even performs better than its more modern counterpart.
We'll dive deep into what sets apart each of these open-source VPN protocols to help you pick the right one for your needs. In order to do this, we must investigate the specifics of their encryption systems, test their performance over long distances, and scrutinize the means by which they try to evade detection in regions with severe digital censorship. However, before we get started, let's quickly review each of these:
In May of 2001, OpenVPN made its debut. OpenVPN gained popularity despite PPTP's five years of existence, due to its superior encryption and negligible impact on connection speed. OpenVPN support for a wider variety of devices has been steadily expanding as security holes have been patched and new clients have been developed over the years. Because of its unprecedented flexibility, OpenVPN was the protocol of choice for the vast majority of commercial VPN apps up until relatively recently.
WireGuard is much more recent; its first stable release didn't come out until 2020. But it was integrated into the Linux and Windows kernels that same year. WireGuard's primary selling point is the superior speed and efficiency it offers in comparison to alternative protocols, all while keeping data securely encrypted. WireGuard has seen widespread adoption, but it is still in beta and has not yet been fully integrated with major operating systems like OpenBSD and FreeBSD.
Not everything can be reduced to a single explanation. Both OpenVPN and WireGuard have advantages and disadvantages. What's appropriate for one user may not be so for another.
A more nuanced strategy is required to produce a comparison that is both fair and objective. Here, we've compared OpenVPN and WireGuard in several key areas of operation and described their respective strengths and weaknesses.
Speed
You should know up front that your VPN connection speed will be capped by your baseline internet speeds. To add insult to injury, even two VPN services utilizing the same protocol may deliver wildly different speeds due to configuration differences.
As of late, however, concerns about OpenVPN's speed have been raised. Not as fast as PPTP or IPSec, but still acceptable; speeds were reduced by around 30%, which is within the norm. Thus, as long as your underlying connection is at least 40 Mbps, you should be able to use a VPN with no noticeable slowdown in performance for any common tasks.
WireGuard appeared out of nowhere and was quickly adopted by major services thanks to the dramatic speed increases it provided. After implementing support for the WireGuard protocol, we saw providers like IPVanish and CyberGhost more than double their average speed, though this is not entirely attributable to WireGuard (since network upgrades and optimization are ongoing).
WireGuard's speedy performance can be attributed to several factors. To begin, it had a significantly smaller code base (only about 4,000 lines) than its predecessor. OpenVPN, by comparison, has been evolving for over two decades and currently contains around 70,000 lines of code. WireGuard can also utilize multiple CPU cores simultaneously for processing data thanks to its support for multi-threading.
Security
The fact that OpenVPN has been around for so long without being compromised lends credence to its claims of being more secure than WireGuard, which is a lot younger. WireGuard, which employs the encryption cipher CHACHA20-POLY1305, can be used with this protocol because it supports more ciphers. Additionally, it is capable of operating on both TCP and UDP, making it more adaptable and, in theory, usable across a wider variety of platforms.
OpenVPN is notoriously challenging to audit due to the sheer volume of its source code. In 2017, a professional audit found several critical flaws that were quickly fixed. But a lot can change in a half decade, so more frequent audits are welcome. Furthermore, the increased variety of attack vectors is a direct result of the wide range of ciphers and devices that can be used. OpenVPN is relatively safe if you keep your installation up to date.
The code in WireGuard was written so that anyone could understand it, and it has also been audited by experts (most recently in 2020). While no security holes were discovered here, it's possible that new ones could emerge as a result of ongoing development.
This protocol's flexibility in integrating with other obfuscation methods and algorithms is an added bonus. The user's source IP address is stored on the server by default in WireGuard, so this is crucial information. Still, VPN services that support WireGuard take precautions to avoid this, such as erasing all session logs after a user logs off or developing alternative authentication methods (like NordVPN's double NAT system, NordLynx).
Bypassing detection
More and more VPN access is being blocked. After all, knowing when a user is connected to a VPN enables websites to ensure nobody is bypassing bans, streaming services to restrict content by region, and authoritarian governments to prevent citizens from accessing otherwise inaccessible content online.
OpenVPN starts off with a slight advantage. Either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) may be selected as the underlying transport protocol. UDP is quicker, but its traffic is automatically routed through the widely-blocked port 1194, making it difficult to use. OpenVPN, on the other hand, transmits TCP data over port 443, which is also used by HTTPS traffic. In a nutshell, if this port is blocked, users cannot access any sites that require encrypted user traffic (roughly 95 percent of all sites suggested by Google at the time of writing).
However, this approach isn't 100% reliable. The more diligent businesses can use a method called deep packet inspection (DPI) to analyze your data packets, which will reveal patterns that closely correspond to OpenVPN traffic. In order to avoid this, VPNs must obfuscate the traffic even more, but not all VPN providers do so.
While WireGuard does support UDP, it was not built to conceal user traffic in this way. This makes it simple to identify a lone WireGuard connection. However, most VPN services have added their own layer of obfuscation on top of WireGuard because it is so easily customizable. While results may vary, we have seen WireGuard-supported services that function in China, so it's clear that the protocol isn't a bottleneck.
Supported devices
OpenVPN is currently supported by all major router firmware and is therefore available in virtually every consumer VPN. You don't have to create your own VPN just to protect your home network because the vast majority of reliable VPN providers let users download OpenVPN configuration files.
WireGuard is currently less popular but is quickly gaining ground. However, there are two major concerns with regard to backing. To begin, almost no VPNs offer the router configuration files necessary to use this protocol. Second, even if config files were made available, some routers that support standard WireGuard traffic may not be compatible with proprietary protocols like NordLynx.
There is no best VPN protocol overall. OpenVPN will continue to be a viable option until WireGuard can be simply installed on routers and avoid detection without the need for additional obfuscation tools.
Instead, it is up to the user to select the appropriate tool. However, a TCP-based OpenVPN connection may be preferable if you're having trouble bypassing geo-blocking, while a WireGuard connection may be the better choice if you're looking to maximize speeds.
If I use OpenVPN, will I be safe?
OpenVPN has been around for over 20 years, and yes, it is still a secure protocol to use. True, there may be flaws that have yet to be uncovered, but the same can be said of any piece of software. In light of the widespread adoption of this technology, you can rest assured that any discovered security flaws will be addressed promptly.
Do site-to-site connections work with WireGuard?
Connecting multiple networks or servers is a breeze with WireGuard's VPN. You can protect data traveling to, from, and within the new network in this way. WireGuard site-to-site connections have widespread support, though many firewall providers still don't permit their use (Sonicwall and Barracuda are two that do). However, major firmware like OpenWRT, DD-WRT, pfSense, and Asus all offer WireGuard configuration guides on their respective websites, making it much simpler to connect two routers.
Is WireGuard preferable to L2TP and why?
Compared to WireGuard, L2TP's slower speeds are about the same as those of OpenVPN. Nonetheless, a wider variety of devices can use it, and setup instructions can be found in the "help" sections of most major VPNs' websites. Both protocols use predetermined ports for data transmission, making them easy targets for traffic blocking without additional concealment measures.
Fastest VPN protocol?
When compared to OpenVPN and IKEv2, WireGuard is the modern VPN protocol that offers the highest throughput, regardless of distance. Although PPTP is fast, its lack of security makes it a poor choice for sensitive data. Unfortunately, its encryption is so easy to break that it provides almost no security at all.
